LastPass 2.0 Released but Beware Default PBKDF2 Setting

Looks like LastPass just released a major version update. Welcome to 2.0! I’ve been a closet LastPass user for a number of years and find it very convenient for being able to securely access a single password store from multiple computers (e.g., home, work, and customer). This flexibility is especially convenient if you are in an area with Internet access but policies restrict bringing in outside computers or storage devices. We could go on about some of it’s other cool security features (e.g., support for various two-factor authentication mechanisms such as Google Authenticator, Grid, and YubiKey; one-time recovery password; and backup/restore of password database) but that topic could be several posts in it of itself.

Some of their version 2.0 improvements include PBKDF2, secure attachments, and credit monitoring. Wait … what? Credit monitoring? We think they may be stretching their feature set a bit too far with this last one. A revenue generation stream for LastPass perhaps? I heard those customer acquisition kickback fees can be quite high. I guess you could just can choose not to use it. The secure attachments feature too seems interesting but I don’t see myself using it that much. So that leaves the addition of PBKDF2, which I think actually may have been added a few updates ago if I recall correctly. Anyway, we discussed PBKDF2 before as part of the LinkedIn fiasco; it basically forces multiple password hashing iterations to help thwart local password brute-force attacks.

The LastPass PBKDF2 feature also comes with a configuration option that allows users to modify the number of iterations. If you want more security, simply increase the value from the default of 500. I investigated this setting and discovered mine was set to 1. Ummm … not good. I’ve heard older accounts might be configured this way by default for backward compatibility reasons. So you should probably check yours as well…

Checking your PBKDR2 iteration setting is relatively easy. Under your LastPass plugin, select Preferences. Choose Account Settings and click the link to manage your preferences online. The Edit Setting window should open as shown below. On the General tab look for the “Password Iterations (PBKDF2)” value and make sure it’s set to at least 500. If you choose to update the value, LastPass will require you to enter your master password and then it’ll re-encrypt your entire password store.

Click to Enlarge

I’ve always been a huge fan of LastPass as they seem to take security very seriously. That combined with the flexibility of cross-computer use and improvements such as the overall better user interface and I think it makes a worthy upgrade. You sure can’t beat the price… And maybe if more people sign up for the pay version (only $1 a month), LastPass can dump the credit reporting thing. 😉

#####

Have you used LastPass 2.0? Let us know what you think in the comments below. Today’s post pic is from LastPass.com. The configuration screenshot is from InsanityBit. See ya!

About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.